WooBoard Security Practices

Encryption

User passwords are never stored in plain text and are both salted and hashed using industry best practices. Token URLs (such as password reset links and invite links) have a minimum length of 30 characters with 64 possible values for each character. SHA 256 SSL encryption is used for HTTPS connections.

Authentication and Authorisation

Interaction within a WooBoard account requires authentication through an email address and a minimum 6 character password. Authentication and authorisation is implemented so that all pages are authenticated by default and pages must be specifically white-listed for non-authentication (public pages, marketing pages etc). This greatly reduces the risk of Direct Object Reference (DOR) bugs. By default only one user has administrative access to an account (more people can be assigned) and inviting users to join a WooBoard account can be restricted to administration users.

Storage and Servers

WooBoard's infrastructure runs on virtual servers that are hosted in the USA within data centres that have PCI Level 1 compliance. Access to the databases layer is restricted to essential staff and database servers are regularly updated with maintenance and security patches. The underlying service provider is Amazon Web Services. Full access to WooBoard application servers and databases is limited to senior developers.

Code Quality

All code is extensively tested through Test Driven Development (TDD) and Continuous Integration practices. Each code change also undergoes a code review before being deployed.